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In this work we review the security vulnerability of Quantum Cryptography with respect to 
" man- in-the- middle attacks" and the standard authentication methods applied to counteract these 
attacks. We further propose a modified authentication algorithm which features higher efficiency 
with respect to consumption of mutual secret bits. 



INTRODUCTION 

Quantum Key Distribution (QKD) or "quantum cryp- 
tography" is a Quantum Mechanics based cryptographic 
primitive which, in principle, holds the potential of ab- 
solutely secure communication that cannot be compro- 
mised by any eavesdropping technique. The strength of 
the QKD primitive is the unconditionally secure simul- 
taneous generation of two identical bit streams at two 
distinct locations which subsequently could be used as a 
key in symmetric (unconditionally or computationally se- 
cure) encryption schemes. However, it is well known that 
QKD requires a public channel with trusted integrity as 
otherwise a potential adversary (Eve) can easily mount 
a "man-in-the-middle attack". In case the eavesdropper 
can manipulate messages on the public channel there is 
no way to guarantee that in the course of a QKD pro- 
tocol the two legitimate communication parties (Alice 
and Bob) are really exchanging the messages they are 
sending to each other. Eve can simply cut the quan- 
tum channel and subsequently communicate over both 
the quantum and the public channels with Bob as if she 
would be Alice and with Alice as if she would be Bob. 
Eventually, she would thus share two independent keys 
with the two legitimate parties and gain full control of 
all the subsequently transmitted encrypted information 
without being noticed at all. The described type of attack 
can be counteracted by authenticating the QKD protocol 
messages transmitted over the public channel. Basically 
public key authentication methods and symmetric key 
authentication methods can be used (see Ref. 0] for a 
discussion of the relative merits and drawbacks of these 
methods). It is however straightforward to notice that 
unconditionally secure key generation by means of QKD 
is only feasible if it is combined with methods providing 
unconditionally secure authentication. Standard public 
key methods are automatically ruled out if one would 
stick to this requirement as the latter are only computa- 
tionally secure and potentially subject to cryptanalysis 
by means of quantum computers. Therefore, already in 
Ref. 2] it was proposed to use unconditionally secure 
symmetric message authentication methods as e.g. de- 



veloped in Ref. [3 to ensure the integrity of the public 
channel. The main idea of the application of these meth- 
ods in QKD is to intertwine the transcript of the pub- 
lic channel communication with an independent secret, 
which the two legitimate parties share and on this basis 
provide a mechanism for authenticating this communica- 
tion. Alice and Bob need therefore an initial secret key, 
which they use only once. Subsequently in each QKD 
session they repeatedly renew the mutual secret by re- 
serving part of the newly generated key. This key is to 
be used for channel authentication purposes in the next 
session. This paradigm has been elaborated in subse- 
quent pubhcations0, It should be noted that while 
thus the unconditional security of QKD is retained, it is 
basically degraded from a secret key generation scheme 
in the strict sense to a secret key growing technique. 

In what follows we restrict our discussion to symmet- 
ric key message authentication methods and, similar to 
Wegman and CarterQ, base our approach on strongly 
universal2 functions. In Section 2 we discuss a general 
method for producing message authentication tags using 
only a moderate amount of the secret key. In Section 3 
we briefly discuss the details of the authentication algo- 
rithm in relation to the QKD protocol. We also present 
a modular integrated software library implementing full 
scale QKD-protocols including public channel authenti- 
cation used in the framework of a recent quantum cryp- 
tographic experiment . 



MESSAGE AUTHENTICATION PRIMITIVE 

A broad class of unconditionally secure symmetric key 
message authentication approaches follow the method de- 
scribed in Ref. This method is independent of the 
context in which authentication is applied and therefore 
we refer to it in what follows as the authentication prim- 
itive. Before discussing the primitive itself we shortly re- 
view the foundations of message authentication by means 
of a family of strongly univcrsal2 functions. Let Ha be 
such a family of functions which maps the set of all mes- 
sages A, typically the set of binary strings of length m, 
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to the set of all authentication tags B, typically the set 
of binary strings of length n < m. One can then au- 
thenticate a message by sending an authentication tag 
in addition to the message itself over the communication 
channel. An adversary willing to manipulate the original 
message must also be able to produce the proper tag for 
the manipulated message. The authentication system is 
unbreakable with probability p when B is chosen to have 
at least 1/p elements 0. The term "unbreakable with 
probability p" is used in the following sense: If a message 
from l^A yields a tag t^B through a randomly chosen 
function /gHa, t = f{l), and if an eavesdropper knows 
m and t but not /, she has only a probability lower than 
p to find the proper tag t' of a different message I' , with 
respect to /, t' = f{l'). The legitimate parties share 
a secret key, which is used as an index in the function 
space Ha- In this sense the secret sharing is symmetric. 
The secret can be used only once. The problem with this 
basic approach is that most of the well known families 
of strongly universal2 functions are typically larger than 
the space of all messages. Therefore, the key needed to 
authenticate a message is longer than the message itself. 
This is a particular problem in quantum cryptography, 
where the key growth factor directly depends on the por- 
tion of generated key, reserved for a subsequent authen- 
tication. While it is necessary to minimize the length of 
the messages to be authenticated as discussed in Section 
3, it is also strongly desirable to restrict the space of ap- 
plied hash functions, reduce the secure key consumption 
for authentication purposes and thus get efficient authen- 
tication methods. At the expense of increasing the "se- 
curity parameter" p to 2p, Wegman and Carter propose 
a method for building a relatively restricted family of 
almost strongly universal2 hash functions 3] , which uses 
a basic class of strongly universal2 hash functions into 
intermediate spaces as a kernel. Wegman and Carter 
choose a specific multiplicative family of hash functions 
(denoted as Hi in Ref. 0), to map strings of length 2s 
to those of length s, where 

s = n + logalogam . (1) 

Note that by definition the cardinality of this class, 
being a function of s, only slowly grows with m. The 
original message / is then divided into substrings of a 
defined length 2s and a randomly chosen hash function 
from the mentioned class is applied to the substrings. 
The set of resulting tags is then concatenated to pro- 
duce an intermediate message. The latter is then once 
again subdivided into substrings of the length 2s and a 
new hash function from the described family is applied 
to each string. This process is applied until only one tag 
remains. The lower order n bits are taken for the final 
authentication tag t. One can showQ that this method 
defines an almost strongly universal2 family of functions 



from A onto B. Wegman and Carter also prove that the 
key length needed to index this family is 

k — 4slog2m . (2) 

This method constitutes a general primitive for sym- 
metric key authentication. The definition / of the almost 
strongly universal2 class of hash functions is independent 
of the underlying kernel class of intermediate strongly 
universal2 functions and any such class can be used. The 
authentication of the public channel in QKD discussed so 
far in literature (see e.g. Refs. 0, and 0) are almost 
exclusively based on the discussed primitive developed in 
Ref. 0, including the choice of the basic intermediate 
class of strongly universal2 (2s to s) hash functions. It 
is obvious that this method is suitable for authenticating 
long messages. As an example, for authentication tags 
which are 64 bits long the message length exceeds the key 
length if the former is longer than 3138 Bits. For mes- 
sages longer than 20000 Bits the message length exceeds 
the key lengths already by a factor of four. However, in 
certain settings, and in particular in the QKD case, it is 
highly relevant to have an efficient authentication prim- 
itive also for short messages. To this end we propose a 
new primitive, which includes a two step procedure. First 
of all one maps the initial message / from A to Z , where 
Z is the set of all binary strings of length r {m > r > n), 
by means of a single publicly known hash function /o so 
that z = /o(0- The second step is a direct application 
of the basic approach as discussed above. One sends m 
over the communication channel alongside with t — J{z), 
where / is a randomly chosen secret strongly universal2 
hash function from Hz mapping Z onto B. We discuss 
first the security of this primitive and then assess the 
amount of secret key needed for its implementation. The 
security of the primitive is given by the probability p of 
an adversary to produce a proper authentication tag for 
a modified message (cf. the discussion above) . Obviously 

p = Pi+P2, P2 = l/\B\ . (3) 

Here, p2 is the probability for the eavesdropper to 
break the strongly universal2 family Hz (see Ref. Q) 
while pi is the probability that the initial message and 
the modified message yield the same tag q under the cho- 
sen fixed hash function /q: 

pi=maxi(^Pr{fo{l)^fo{n\l^l'}) • (4) 

Clearly all messages Aq = fQ^{z) yield the same au- 
thentication tag z and thus 

Pi=maxi(Pr{/'eAo = {Ao\0}) • (5) 
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In case is independent of the choice of I and all I 
are equally probable (the distribution of meaningful mes- 
sages in the space of all bit strings is uniform) then 

pi = {\A\/\Z\ - 1)/\A\ < 1/\Z\ for all values of \A\, 

p <1/\B\ + 1/\Z\. (6) 

In addition to the two basic assumptions in the deriva- 
tion of expression Eq.(6) one should note that we implic- 
itly assume that the message I' is random and fixed, i.e. 
the eavesdropper can not chose the manipulation mes- 
sage at will. While this can not be taken for granted in 
general, in the case of man-in-the- middle attacks in quan- 
tum cryptography / an I' are definitely randomly and in- 
dependently fixed beside the scope of influence of the ad- 
versary. (In this case of a man-in-the middle attack I and 
I' are protocol extracts from the communication between 
Alice and Eve and Eve and Bob respectively, whereby 
these are generated through physical random processes 
and Eve has no opportunity at all to change either I or 
I' .) The assumption that Aq is independent from / can 
be guaranteed by any suitably chosen 
hash function that constitutes a homomorphism of A 
onto Z. Finally the assumption of an uniform distribu- 
tion of all possible messages depends on the choice of the 
protocol extracts and can not always be granted. How- 
ever, one can initially perform a uniform randomizing 
operation e.g. by means of XORing the message / with a 
completely random bit string of the same dimension. The 
latter can be obtained by means of deterministic pseudo- 
random generator whereby a number of secret bits from 
the joint secret are used for the seed. The application 
of other appropriate uniform randomizers, possibly inte- 
grated in the definition of /o, is also feasible. 

We would now point out that the secret key needed 
in this approach is exactly the number of bits needed to 
index the family Hz- Obviously if r (the dimension of Z) 
is chosen to be moderate and an appropriate restricted 
strongly universal2 class is selected then the amount of 
secret key required can also be reduced. To estimate this 
amount exactly one needs to specify the function family 
applied. We choose the set of affine transformations: 

Hz{-) = {f ^ (3)1^ - aU(rxm) binary 
Toeplitz matrices; f3 — all (mx 1) binary vectors} , 

/(z) = $z 4- /3 mod{2) . (7) 

This function family[^ ^3 is strongly universal2 as 
shown in Ref. |T3| and is indexed byr + 2xn — 1 pa- 
rameters. For r=256 and n=64, obviously the message 
length exceeds the required secret key already for strings 
longer than 384 bits. In contrast to the primitive used by 
Wegman and Carter this amount is constant by definition 
and does not increase with m. 



PROTOCOL IMPLEMENTATION 

In Section 2 above we have only given a general de- 
scription of a new primitive suitable for authentication 
in QKD settings, leaving the question of the exact pro- 
tocol extracts to be authenticated completely aside. It 
is beyond the scope of the present paper to address this 
topic in detail. This issue has been however thoroughly 
discussed in Refs. and 0|. Certainly an authenti- 
cation of the full protocol transcript is one (inefficient) 
extreme possibility. In Ref. it is shown that authenti- 
cating the sifting phase discussion and the results of the 
error correction phase is sufficient. In this reference it 
is also suggested that (the relevant parts) of the tran- 
script are not authenticated at once but rather the bit 
strings to be authenticated are separately processed as 
soon as they are generated in the respective QKD proto- 
col phases. A particular advantage of this approach with 
respect to the cryptographic primitive proposed in Sec- 
tion 2 above, is that all the bit strings to be authenticated 
are randomly and uniformly distributed in the space of 
all possible strings of corresponding dimension. Thus, if 
this protocol is employed, an initial randomization is not 
required for a secure application the primitive described 
above. 

We have implemented an authentication algorithm 
based on the primitive presented in this paper, whereby, 
provisionally, SHA is used as the initial hash function. 
This algorithm is a part of a constantly developed mod- 
ular software-set up, which is integrated in the framework 
of an embedded general purpose QKD hardware-software 
prototype dedicated to data acquisition and subsequent 
QKD-protocol processing and data encryption (currently 
AES and One Time Pad are implemented). A public 
demonstration of the functionality of this QKD prototype 
together with an optic segment implementing entangled- 
photon key generation took recently place in the form of a 
"Q-Banking" transaction, which was carried out between 
two buildings in Vienna, Austria - the Rathaus (city hall) 
and the seat of Bank Austria CreditanstaltQ. The cur- 
rent version of the software set-up is designed in the form 
of a C library "QKD III" which allows application by 
choice of alternative quantum-acquisition protocols, er- 
ror correction, privacy amplification and authentication 
algorithms and can alternatively be compiled for usage in 
PC or embedded environments. The QKD protocol im- 
plemented, in contrast to an earlier version used in the 
"Q-Banking" experiment, follows the approach suggested 
in Ref. 5]. This protocol is prone by design against a 
potential loophole in this earlier version. The latter is 
discussed in detail in Ref. \vi\ . 
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